Nitro PDF is malware

Nitro PDF uses you boot sector to store its license information. My Nitro PDF with OCR was not showing the OCR as being active so I decided to uninstall and reinstall. I deactivated first then used Revo to uninstall. The uninstall hung up and the system completely locked up. A hard boot brought up Windows 7's boot fixer utility which played for a few minutes and then the system restarted.

I couldn't find Nitro PDF nor would Revo show it so I tried to reinstall the software. The reinstall went fine but the software would not run giving this error.

“Multiple Restore Hard drive operations damaged the license and the product must be re-registered. #2”​

As I'd had problems with their license when using a cloned drive for backup and also when I restored my system from a backup I decided to give the software the flick. I complained to the support people and asked for a utility to get their stuff out of my boot sector but they just play dumb. They said use Revo (I had) and provided a clean-up utility that doesn't do the job.

No software, other than a hard disk utility, should be allowed to play around in the boot sector.

Nitro's not necessarily a malware but acts like one in terms of its choice of hiding its license info. Writing to hidden sectors is not something that goes well with disk etiquette.

On two of the machines I've seen the lic. info written at (absolute) sectors 60 & 62. One of them had at least 3 'clean' OS installs. Nitro generates a machine code to prevent x-use of their legit licenses on multiple machines. Lic. info is based on this machine (HW) code. So 'Volume ID' (which changes every time the disk is formatted) alone does not alter your HW specs. If you have a legit license, it stays forever on your disk unless you deliberately choose to deactivate it. Deactivating does not remove the lic. data written at the hidden sectors. It is just marked as inactive. The lic. info survives any full formatting all because it resides at a pre-partition area on your disk. Dunno at where it actually starts, but sector 62 is definitely the last choice to store that .5k lic. info.

If you tamper with or delete the license written on hidden sectors, Nitro complains about it next time it is launched. The authors of Nitro must be very sure of themselves that the hiding corner they've chosen could have never been found and/or edited. So, the deleted lic. info gets written on another sector next time you start the app. Kinda funny way of self-healing.

All the endeavor put in to keep the routines covert and encrypted readily fails in protecting the app. Dealing with crypto schemes requires more maths than programming capabilities. Every concerned SW author develops custom protection schemes but when it comes to crypto, almost all of them resort to using ready made, what I call, “package solutions". I think this is the underlying reason why the apps using encryption are less secure than those of the tailor protected ones regarding their immunity against RE attacks.

Anyway, Nitro does a good job and deserves the money asked for. I'm a happy customer of them.

...is there any way to visualize the boot sector/track0 stuff to check for bad stuff?
how can a noob make sure there's no bad stuff in there?
should we all nuke our MBR/Track0 once in awhile just to get rid of the cobwebs?

Click to expand...

Disk editors let you see/manipulate MBR area (the boot sector). HxD is a nice and free one.

To see the contents of the hidden sectors you should always select the 'physical' disk, not the logical one. Logical disk starts with the 1st partition (absolute sector #63) and hence there are no hidden ones from that sector onwards. Sector 0 always starts with 33C0h (at offset 00) and ends with 55AAh (at offset 511) covering a total of 512 bytes length (size of one sector) in which the master boot record resides (not the volume boot record or bootloader, which resides in the first sector of the first partition. BIOS transfers its job to MBR [sector #0] and MBR to VBR [sector #63], then the OS starts to load). You should avoid touching those areas by all means.

Between sector #1 & #62 there are 31,744 bytes of free space available divided into 62 sectors. Boot sector viruses and a few other legit apps (like Nitro) may use this area. Usually there is no fun in peeking at those sectors and they seldom need any cleaning.

What I discovered with Nitro was purely a chance (auto activation after initial launch on a freshly formatted and OS installed drive). Data on those sectors are machine readable only. So, one needs process explorers/debuggers to analyze the mechanics of root access, calls, data I/O operations, etc. before deciding if the stuff is bad or not. Trial and error wouldn't be something advisable if you play with your 'system disk' at the lowest level.

To see the contents of the hidden sectors you should always select the 'physical' disk, not the logical one. Logical disk starts with the 1st partition (absolute sector #63) and hence there are no hidden ones from that sector onwards. Sector 0 always starts with 33C0h (at offset 00) and ends with 55AAh (at offset 511) covering a total of 512 bytes length (size of one sector) in which the master boot record resides (not the volume boot record or bootloader, which resides in the first sector of the first partition. BIOS transfers its job to MBR [sector #0] and MBR to VBR [sector #63], then the OS starts to load). You should avoid touching those areas by all means.

Click to expand...

For Vista/7 the VBR doesn't often reside in sector #63. It's mostly sector #2048 (1MB), in preparation for correct alignment on Advanced Format drives. Hence, I assume, there are now extra hidden sectors between #63 and #2047.